vaultofthearchonfandomcom-20200214-history
148443-carbinencsoft-and-security
Content ---- ---- ---- ---- ---- ---- ---- ---- ---- it is a potential compromise to our forum accounts. I will not speculate on access to our main accounts at NCSoft; but seeing as the whole site is linked; and logging in on the forum usually gives you temporary access to the main site, I consider this important enough. The problem is that the encryption used for SSL ( that which encrypts data between you and the forum) is out dated, meaning it can and wil be broken. It is not that easy but can be done by anyone with malicious intent. The mere fact that Carbine/NCsoft does not takes this serious at all is a joke in itself. Apparently the court orders happening here in the EU with the US and data security havent sinked yet properly | |} ---- ---- It should not be happening. They are using dated security, and whichever manager or product manager approves that, is the one that needs to get an education about internet security and the cost associated by it when shit happens. | |} ---- Noted, but not everything is just a 10 minute job with a global company. Like I said, I'll send this up the chain, and see what I can come up with. If I have any kind of update, I'll let you know. Thanks for bringing this up though - we do want to make all the things better. The compromise would be to your forum account only, since game login and forums login are on separate database systems. I want to assure you though, we do have multiple strong-holds for keeping accounts from getting compromised, but we do understand that there is concern. Again, I'll push this information forward and see that we are sufficiently protecting our customers. As always though, and this is with anything that requires email/password login (that would be the entire internet), best practice is to change your passwords periodically, and to never keep them the same across the board. Meaning, you don't want any of your internet passwords to be the same password that you use with your online banking. | |} ---- ---- ---- ---- Whether it's a 10 minute job, a 10 hour job, or even a 10 day job is essentially irrelevant. Outdated security is outdated security and it needs to be taken seriously and fixed, as priority. It's not as if the situation is anything new, it's been going on for MANY months and reported repeatedly. | |} ---- You're right that a properly implemented change would take more than 10 minutes and you've outlined the time-tested and proven best practices above. But I've seen over the past year and a half how Carbine cowboy's changes in and the items striked out above seemingly are not practiced. However, the change still won't take 10 minutes because they'll *cupcake* up the change and it will take twice as long to un-*cupcake* it as it would have if they'd just follow change management best practices in the first place. | |} ---- ---- ---- ---- ---- As someone who knows about Information Security, it is a fact that security is only ever as strong as the weakest link. Your affirmations about 'multiple strong holds for keeping accounts from getting compromised' are not going to help. I understand that layered security is fantastic and that MOST users here already choose weak passwords that would be compromised even with everything possible done on your end so why bother? The 'human element' and social compromises are something that even the best security can't overcome! The answer to that is that it is your obligation as a company to do everything on YOUR end that is reasonably possible to secure our information especially when that information includes personal financial details, credit card details, and payment credentials. It is difficult to expect your users to be able to choose a secure password when the NcSoft Account has a hard-coded password limit of a MAX of 16 characters like we are still in the 1990s. I would love to be able to tell dozens of friends/guildmates, and other buddies (real and virtual) that it is safe to just enter their credit card info to get that thing NOW instead of waiting to buy an NCoin card from a retailer to keep their personal financial info safe. I cannot in good conscience recommend that they use any CC info with the current poor state of security within NcSoft's systems (and WildStar's systems). The friction involved in making a purchase due to lack of consumer confidence about security will affect ALL of NcSoft's sales and profits, not JUST WildStar. They should realize that a profitable company will not depend solely on any one country/region to the exclusion of all others. Truly profitable companies do their best to appeal to a worldwide audience. This is something that has been ignored for well over a year. The security must be upgraded as soon as possible or we will scare off what little interested players we have left. This should be handled before Drop 7 or we will have tons of people that want to play but are unable to do so. The way things are regarding forum and account security seem to be exceedingly unprofessional and unbecoming of Carbine as a company. I realize you are hindered by NcSoft issues but a good engineer will work with what they have rather than yell at what they do not have. The 2FA is an optional band-aid that most of your playerbase still doesn't know about. We are prominently notified of Login Rewards, Signature Status, and Cash Shop/Store updates. We are not notified (on every login) that we should secure our account with 2FA to obtain X benefits. It seems that outside of Cash Shop updates, the cadence of other issues has been dropped to the backburner. This is unfortunate and hinders player confidence in Carbine as a company to be a valued place to spend our money. I've had to use a portable outdated version of Firefox v42 JUST for these forums and it is a pain. There is no justification for it when major companies like CloudFlare report that less than 0.0009% of their services utilize RC4-only ciphers. Did you notice the date on that? May 7th of 2014. They waited until February 23rd of 2015 to fully disable it. That was done almost a year ago. What is NcSoft waiting for? What do we as the playerbase need to do to convince NcSoft to priortize a system-wide security upgrade and passwords longer than 16 characters (up to 200 characters would be ideal)? Edited January 5, 2016 by FantasticCupcake | |} ---- Just adding that I'm having the same issue as well using 43.0.3 64 bit of Firefox too. Using my phone to post at the moment. Also just to give some additional information on weirdness. If I do a search on the blade and soul forums wildstar threads come up in the results, but the reverse doesn't happen. Think you might want to let ncsoft know this... Edited January 5, 2016 by Typrop | |} ---- Not that the underlying issue doesn't need to be corrected..but I'm not seeing the same error, using the same version of Firefox.. | |} ---- Have you altered any security settings? I've not touched them since I originally installed Firefox. When I first saw this thread the only issue I had was a with weak encryption notice then early yesterday morning the website just stopped loading and gave that error message. I'm surprised we've not had a Carbine response saying it's been looked at, again. Edit: Firefox is now back to normal with no changes done by me. I still get the weak encryption warning though. Edited January 6, 2016 by Saccharin | |} ---- Nope, default install.. I get the weak encryption warning, but that's it.. | |} ---- It seems fixed for me so maybe it was fixed by the time you logged in. | |} ---- Firefix did an update and doesn't block. But the security hole is still there | |} ---- ---- ---- This. https://twitter.com/codemasher/status/651796533856325632 Edited January 8, 2016 by Smiley | |} ---- This RC4 issue had been going on for quite some time. So we're in this thread for January 2016, a continuation of this older thread from Dec 2015, and even earlier referenced in my older thread from Nov 24, 2015 and another prior to that on Nov 19, 2015. This issue was prevalant even before F2P as far back as July 2015 (and likely earlier threads I couldn't find). So finally after all this time we've done it! NO MORE RC4 WOHOOOOO! Oh dear. Whoever they have setting up the ciphers messed up something. Oh dear. >_< I'll make this very simple. The server settings for (login/forums/shop/ncoinpurchases) should look like this (wildstar support website). It is a small victory to finally deprecate RC4 (at the last minute before it renders most of your audience unable to visit your website and store). There is still work to be done to update it *properly* but humbled cupcake is humbled. Huge major thank you to all Carbine Staff (and NcSoft Staff) that were involved in getting this finally pushed out the door. It can't have been easy and I hope that NcSoft realizes that security is an ongoing thing and not a 'fire and forget' thing. It directly affects their bottom line if consumer confidence about security is inadequate/low. Let's hope the newly-accessible forums result in a notable upswing in player activity now. I'm happy and confident in easily recommending this game to my gaming friends and colleagues that would enjoy a good gaming challenge. Now that people can actually access the forums/account/website without needing a seperate portable browser, a whole new world has opened up for us! Rejoice! ^_^ | |} ----